ELKStack-生产案例项目实战
1、收集ES和apache日志,入redis
input { file { path => "/etc/httpd/logs/access_log" start_position => "beginning" type => "apache-accesslog" } file{ path => "/var/log/elasticsearch/myes.log" type => "es-log" start_position => "beginning" codec => multiline{ pattern => "^\[" negate => true what => "previous" } }}output{ if [type] == "es-log" { redis { host => ["192.168.137.11"] port => 6379 db => 1 data_type => "list" key => "es-log" timeout => 10 } } if [type] == "apache-accesslog" { redis { host => ["192.168.137.11"] port => 6379 db => 1 data_type => "list" key => "apache-accesslog" timeout => 10 } }} 启动/opt/logstash/bin/logstash -f /etc/logstash/conf.d/shipper.conf
2、通过syslog服务端主机,获取所有的客户端主机的syslog和redis中数据,写入ES
input{ syslog { type => "system-syslog" port => 514 } redis { type => "es-log" host => ["192.168.137.11"] port => 6379 db => 1 data_type => "list" key => "es-log" timeout => 10 } redis { type => "apache-accesslog" host => ["192.168.137.11"] port => 6379 db => 1 data_type => "list" key => "apache-accesslog" timeout => 10 }}filter { if [type] == "apache-accesslog" { grok { match => { "message" => "%{COMBINEDAPACHELOG}" } } }}output{ if [type] == "apache-accesslog" { elasticsearch { hosts => ["192.168.137.11:9200"] index => "apache-accesslog-%{+YYYY.MM.dd}" } } if [type] == "es-log" { elasticsearch { hosts => ["192.168.137.11:9200"] index => "es-log-%{+YYYY.MM}" } } if [type] == "system-syslog" { elasticsearch { hosts => ["192.168.137.11:9200"] index => "system-syslog-%{+YYYY.MM}" } }} 启动/opt/logstash/bin/logstash -f /etc/logstash/conf.d/redis-es.conf
